I haven’t done a technical article in a long time, and this one is fresh in my memory, so I took the opportunity to blog it.

First of all, if networking isn’t your thing, this may bore you. And by “networking,” I mean connecting computers with cables and having them talk to each other and to servers and internet sites and all that. I don’t mean going to the local Starbucks and getting to know a neighbor. However, if you went up to a stranger at Starbacks and said “hey, I’ve been meaning to interface my hard disk with your mainframe,” you might get a virus, so be sure bring your Trojans.

The gist of this article is how to track down a MAC address. An example might be: you’re an IT administrator, in charge of a large network in a medium-sized building, say 100 or more folks. Some kind of activity is coming from one of the systems somewhere, but all you know is an IP address. You want to physically hunt down where that IP address is, as in what port of what switch it’s plugged into. If you use DHCP to automatically assign IP addresses to your users (which the vast majority of people do in larger networks), you won’t necessarily know the physical location of, say, 192.168.245.33. In this example, all you know is the IP address, and there’s no DNS entry for it to tell you the name.

Let me start with some basics (continued in the extended entry, below).

In the IP world, which is what the Internet runs on (in fact, the “I” of IP is Internet, the “P” is Protocol), each device gets a special address. It’s supposed to be unique in their view of the world. In general, the IP address is mostly arbitrary, but there are some rules as to which ranges of addresses you should use for public vs private use. There’s no real law; people like Internet Service Providers and Three Initial Corporations “agree” to adhere to these rules. The 192.168.x.x range is one of these pre-established ranges, and if you have an internet connection at home with a network sharing device like a Linksys or Netgear, your PC will probably get an IP in that range. Those are called “private ranges” because your 192.168.1.100 is different than your neighbor’s 192.168.1.100 address. However, www.yahoo.com’s IP address is specific and unique, because everyone in the world needs to get to their specific server, so you can’t use their IP address.

IP Addresses are how computers talk to each other, regardless of distance or scope. For example, a 4.2.2.1 address might be across town, or it might be across the world. The “protocol” part of IP dictates how information, put into packets, can get from your IP address to another, anywhere in the world.

Example addresses:

However, on a local level, in the world of switches and hubs, another address becomes important. This is called the MAC address. MAC stands for Media Access Control but the name itself is unimportant. The point is that it’s a globally unique identifer for a specific network device, but is non-routable. Where IP addresses imply the ability to get from one to another (say, getting from your PC to yahoo.com), MAC addresses are just unique identifers with no routing ability inherent in the scheme. The MAC address is a 32-bit string of hexadecimal numbers and letters that looks like gobble-de-gook. What’s more annoying is that you can write a MAC address in many different ways.

Example MAC address, in 4 different forms

This MAC address is how your PC talks to it’s immediate physical neighbors, such as a printer, or a router, or another PC. The IP address isn’t enough for your PC to talk to the printer – your PC needs to know the MAC address of the printer to talk on the lower layer.

By the way, when you talk about MAC addresses, you’re talking about Layer 2 of the OSI model. IP Addresses are Layer 3. Any of these terms sound familiar?

Now, when your PC, say, at 192.168.1.100 needs to talk to your Linksys router, which is at 192.168.1.1, it has to know the linksys’ MAC address. It finds this out by doing an ARP (address resolution protocol). It broadcasts out on the little network cable in a manner similar to the following. Note: this is a broadcast, so it’s in upper caps. It’s like the guy is shouting to everyone, because everyone on the wire has to stop and listen):

“HEY EVERYONE! LISTEN UP. THIS IS ME, MR PC AT 192.168.1.100, MAC ADDRESS 00-18-8B-A4-BA-D0! YO TO THE EAST SIDE! ANYBODY OUT THERE KNOW WHERE THE HELL 192.168.1.1 IS? COME ON, ANYBODY?“

If 192.168.1.1 is listening, then it replies to the ARP by saying something like

So now MR PC knows the MAC address and can talk directly to the linksys at Layer 2.

This is all well and good when you’re talking about two or three devices on a local area network. But when you have hundreds of devices, it gets a little more difficult to find out what cable where goes to the device with a specific address.

This is where the CAM table comes in, or ARP table. CAM stands for Content-Addressible Memory. This is a fancy way of saying that a switch in the comm room is constantly listening to all these yelling matches going on, and writes down in a special list all the MAC addresses it hears. It also writes down where it heard it. For example, port 4/2 on some Cisco switch might hear the shouting and know that 00-12-3F-A4-1A-C6 is on that port. This list is sometimes called the ARP Cache, the ARP Table, or the CAM Table. Maybe the Dynamic MAC table. It doesn’t matter what it’s called – what matters is that it’s a big list of MAC addresses seen recently by the switch. And by recently, I mean usually 30 seconds.

The trick of finding a specific MAC address in a large array of different vendor switches is knowing the commands required to find the port that has that MAC address.

Unfortunately, when you have all these switches put together, they may talk to each other as to knowing that a MAC address is on the switch, but they don’t all share what port the MAC address was seen. So you actually have to find the specific switch. This is where it can get daunting.

Oh, and to top it off, each vendor has a different command for finding the port a MAC address was last seen.

Ciscosh cam <mac address>

Foundrysh mac <mac address>

Dell PowerConnectshow bridge address-table address <mac address>

Here’s an example of me finding a specific MAC address, inside a cluster of various network devices made up of Cisco, Foundry and PowerConnect, via the command line.

I start with a Cisco 6509 switch, our main switch:

Note: bolded entries are the commands I typed; highlighted entries are what I’m looking for in the output

This is telling me that as far as this switch knows, this mac address was last seen on port 2/7. I check that port, and it’s a trunk to another one of my switches, a Foundry. So I telnet over to that switch and continue the chase, in Foundry-speak.

Hmm. Now it’s telling me that it knows about this mac address through port 1/6, which is another trunk to yet another switch, this time a Dell PowerConnect. Off I go, into the wild blue yonder…

sw-dell# show bridge address-table address 00b0.d063.c226
Aging time is 300 sec Vlan Mac Address Port Type
——– ——————— —— ———-
104 00:b0:d0:63:c2:26 e41 dynamicAha! Now I’ve found a port that’s not another trunk. This port (e41) should be where the system is.

Ugh, Dell surely didn’t make it easy to figure out how to get a MAC address. Most networking vendors seem to copy Cisco’s command set, at least a little, but this is ridiculous.

We trace down that cable and sure enough, it is the system with that specific IP address. System found!

I was discussing this technique here not 2 weeks ago, but forgot most of the details on how to do it. I had to do this years ago at [LARGE UNNAMED MEDICAL UNIVERSITY] when I worked in IT/desktop. Since it was a University and there was always weird funny money department charges for things, IT used to “charge” per network drop. Not that any money changed hands really, but it was all for the sake of tracking resources. Doctors, being the cheap people that they are, always used to fight saying they should be able to put more then one PC on each drop, should never have to pay for desktop help, and once they paid for a PC, anything including upgrades should be free. One well known cheapskate and computer tinkerer had the brilliant idea of using the new fangled NT “Internet Connection Sharing” utility but only using a single ethernet device. So he started a DHCP server serving out 192.168.0.0/16 addresses on our network. Side note, the university network admins at the time thought VLANs were unproven and dangerous, and the entire campus was one giant broadcast lan, or at least a pile of /16s anyway, all public addresses. (Sider note, they still are there and they still believe this) So here was Dr. Cheapskate sending out invalid addresses to the entire campus. This caused a flurry of calls from users saying they couldn’t get on the network and it took us a while to figure out everyone was getting bad dhcp. A coworker and I tracked the IP/MAC back to a particular floor of a particular building, and immediately knew who it was based on location. We had to dispatch a desktop tech to go talk to the individual because the network guys refused to believe our tracking, and kept calling it “no big deal.” Plus, in this place, once you get to Dr status, you can do whatever you want and never suffer consiquences so I think the net guys were afraid of doing battle with this Dr. but shutting down his port. Ask me sometime about the 3 Levels of employment there…

When I worked at Scient (my all-time favorite job), we had a neat system that worked well with our environment. We were 1800 consultants in 14 different offices throughout the US. Everyone was at 80% travel or more, so you never knew which office any given colleague was visiting. We heavily employed the use of peer review, conferences, etc and wanted to take advantage of serendipity whenever possible.

So the cool system was this:

A) you connect your laptop to the LAN

B) the DHCP server gives you an address.

(Yes, I realize this doesn’t sound very cool so far, but keep reading.)

C) the DHCP makes note of your MAC address.

(hmm. that sounds interesting)

D) The MAC address is matched against a database of employees kept up to date by IT every time they issue a laptop.

(ok, that sounds maybe a little cool, but what’s the point?)

E) A side process spawns and goes to traverse the switches to find out what port that MAC address was currently connected to.

(alright, that would be a pretty neat script. Are you auditing or something?)

F) Each network port is mapped to a coordinate system on every floor plan of every campus in the same database. So for example, port 4/16 of this switch is actually connected to cube 104 in the east wing.

(whoa, sounds like someone did a lot of work)

G) Each cube is given a set of map coordinates based on the floor plan, such that cube 104 is on this GIF file right about “here”, in xy coordinates, like 645,324.

(someone is a little busy, aren’t they?)

H) The “zone” (what Scient called it’s customized intranet) had an employee lookup page. On that lookup page, when you found an employee by name, number, skillset or whatever, over on the right hand side was a graph of “where am I today?”. Right under that, was a big header listing the name of the campus (ie, Austin, New York, San Franscisco) and the floor (2nd, 3rd), and then below THAT, a floor plan with a big red dot on the cube where the person was.

(gasp! spurt! choke! WHAT?!?!?!? The intranet was a dynamic map telling you where they were parked for the day?!?! OMG! THAT’S SO FREAKING COOL!)

I’ll have to check out NetReg. (ok, done). That sounds pretty cool, but it does obviously require the end user to participate in the IP address-assignment phase, and that probably wouldn’t work well for us. We do use DHCP, tie it to Dynamic DNS, and we have group policies for the Windows boxes that are SUPPOSED to auto-update DNS when it gets an IP, but still, even if we put in decent attempts to verify all of this, I end up not being able to trust the then-assigned DNS name for any given IP.

So NetReg seems to be a good answer for smaller networks, and seems to also give a decent semblance of security, but I would probably argue for 802.1x authentication, which is one of our next projects. When you have a switch that supports 802.1x, then what happens is you get put into a VLAN based on your authentication, and it can be without the user’s participation.

Everyone know about two-factor authentication? Here’s the gist: you have three ways to prove you are who you say you are: something you have (like a token), something you know (like a username and password) and something you are (biometric – fingerprint, retinal scan). Two-factor authentication is when you have 2 of the 3 things. A smart card with a login is 2 factor. A SecurID card with a 60-second password, combined with a login is 2 factor.

Now, for sake of argument, imagine a Windows domain and Windows machines in that domain. When you join the system to the domain, you can have a group policy automatically add a certificate, signed by the domain controller, to the machine. That’s one form of authentication (something you have; a token). Then, assume the user is logged into the machine with their username and password. That would be the second form of authentication (something you know). Given these two forms, the computer authenticates to the switch, the switch puts them in the appropriate VLAN, and then DHCP server on that segment doles out a specific IP.

The cool thing here is that if the computer does NOT authenticate, it can be put into an unsecure VLAN, given a different address and maybe given NAT’ed internet access but no internal access.

That way, you can open up all the ports in your campus and not worry as much about physical security – you know, how people visitors might come into your conference rooms and “borrow” a network connection, and all of a sudden get access to internal stuff? Properly implemented 802.1x massively minimizes that threat.

I guess I just mean that it seems to be an imposition on the end users, requiring them to use a browser. But I could have improperly glanced at the overview of NetReg and maybe that’s not what it’s all about.

And how do you require guests to use VPN? What do they VPN into? I would think you’d want guests to just get Internet access, either through a dirty, unsecure network, or a NAT’ed network so at least they get some protection but have no access to inside.

We force all pages except a select few to nav to NetReg and force them to go through registration using their account and password for (everything else).

For guests they certainly can just plug into jacks in non-NetReg buildings (once NetReg is everywhere that won’t be the case) or they can use our wireless network which requires VPN. We give out guest VPN accounts but a worker bee has to claim responsibility for the network usage of their guest.

Wow, this is a pretty useful article. However, I was wondering if you could track down the the physical location of a computer if you had their last used IP address and they disconnected like 10 minutes before you started to attempt to trace it.

George – as long as that IP is in an ARP table somewhere, you can. However, ARP caches can be as low as 30 seconds or as high as 3 minutes or longer if the router/switch/network device has nothing better to do.

If you have a need to actually determine this kind of info, 802.1x might be for you. It authenticates the user before giving them access to a specific VLAN or ACL, and logs it. That way you have definitive correlation of user auth to IP address assignment.

Dear Whall,
This blog post is 7 years old so I am not sure if anyone still has access or uses this site. I am in need of guidance and a lesson to help track a particular tablet device. I only have the mac address and with all the information I have been reading that may not be enough for anything. It will most likely be used on a personal home wifi system but with the same coverage carrier as myself, Fidelity. If you think you can be of any assistance I would greatly appreciate your guidance. My level of knowledge is basic C++ and FORTRAN. Thank you for your time.